Privacy Policy

Privacy Policy

Aspire Health Hub

Version 1.0

1. Introduction

I'm with Bruce AB (Swedish company registration number: [559037-5597], trading as Aspire Health Hub, is the data controller responsible for processing personal data in connection with the Aspire Health Hub platform (the “Platform”). The Platform is a digital tool designed to help HR professionals manage and track health-related investments and wellness programmes on behalf of their organisations.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, with whom we share it, and what rights you have as a data subject. It has been prepared in accordance with:

  • Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”)
  • Sweden’s national data protection legislation, including the Dataskyddslagen (2018:218)
  • Guidance issued by the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, “IMY”)
  • Applicable guidance from the European Data Protection Board (“EDPB”)

If you have any questions about this Policy or about how we handle your personal data, please contact us at:

privacy@aspirehealthhub.se

2. Who We Are — Data Controller

Data Controller: I’m with Bruce AB, trading as Aspire Health Hub

Registered address: Kungsgatan 52, 111 35 Stockholm, Sweden

Organisation number: 559037-5597

Privacy contact: privacy@aspirehealthhub.se

3. Scope and Users of the Platform

The Platform is a business-to-business (B2B) service. The primary users (“Users”) of the Platform are HR professionals and administrators acting on behalf of their employer organisations (“Client Organisations”). Client Organisations are themselves data controllers in relation to their employees’ data, and I’m with Bruce AB acts as a data processor when processing personal data on their behalf pursuant to a separate Data Processing Agreement (DPA).

This Privacy Policy governs the personal data that I’m with Bruce AB processes as a data controller in relation to:

  • HR professionals and administrators who register for and use the Platform
  • Individuals whose health and wellness information is entered into or generated within the Platform
  • Visitors to the Aspire Health Hub website

4. Personal Data We Collect

4.1 Identity and Contact Data

When you register for or use the Platform, we collect:

  • Full name
  • Work email address
  • Job title and employer organisation
  • Login credentials (encrypted)

4.2 Health and Wellness Data (Special Category Data)

The Platform is designed to support the management of health investments and wellness programmes. Accordingly, it may process data that constitutes special category data under GDPR Article 9, including:

  • Health status information and wellness indicators
  • Absence records linked to health or illness
  • Participation in wellness programmes or health-related activities
  • Information relating to physical or mental health entered by or on behalf of employees

This data is processed exclusively on the documented instructions of Client Organisations, who bear responsibility as data controllers for ensuring appropriate consent or other legal bases are in place vis-à-vis their employees.

4.3 Employment and HR Data

  • Employee identifiers and organisational hierarchy information
  • Role, department, and employment status
  • Data relating to health benefit utilisation or health investment tracking

4.4 Usage and Analytics Data

  • Log data (IP address, browser type, pages visited, timestamps)
  • Platform interaction data (features used, session duration)
  • Device and operating system information
  • Cookies and similar tracking technologies (see Section 9)

5. Legal Bases for Processing

We process personal data only where we have a valid legal basis under GDPR Article 6 and, for special category data, an additional condition under Article 9.

5.1 Ordinary Personal Data (Article 6)

Contract performance (Article 6(1)(b)): Processing necessary to provide the Platform and fulfil our contractual obligations to Client Organisations and their authorised Users.

Legitimate interests (Article 6(1)(f)): Processing for analytics, platform security, fraud prevention, and service improvement, where these interests are not overridden by the data subject’s rights.

Legal obligation (Article 6(1)(c)): Processing required to comply with applicable Swedish and EU law, including tax, corporate, and regulatory obligations.

Consent (Article 6(1)(a)): Where we rely on consent (e.g., for certain marketing communications), you may withdraw consent at any time without affecting prior processing.

5.2 Special Category Data (Article 9)

Health and wellness data is processed on one or more of the following bases:

Explicit consent (Article 9(2)(a)): Where the data subject has given explicit consent to the processing of their health data for specified purposes.

Employment and social security law (Article 9(2)(b)): Where processing is necessary for the purposes of carrying out obligations and exercising rights in the field of employment and social security law, to the extent permitted under Swedish law.

Preventive or occupational medicine (Article 9(2)(h)): Where processing is necessary for preventive or occupational medicine purposes, for the assessment of working capacity, or the management of health care systems.

6. Purposes of Processing

We process personal data for the following purposes:

  • Providing, operating, and improving the Platform and its features
  • User authentication, account management, and platform security
  • Enabling HR professionals to manage and analyse health investment data
  • Generating aggregated, anonymised reporting and analytics
  • Communicating with Users about their accounts, updates, and support
  • Complying with legal and regulatory obligations
  • Preventing fraud, abuse, and unauthorised access
  • Marketing and promotional communications (only where consent has been obtained)

7. Sharing of Personal Data

7.1 Sub-processors and Third Parties

We may share personal data with trusted third-party service providers (“sub-processors”) who assist us in delivering the Platform. All sub-processors are bound by data processing agreements and are required to implement appropriate technical and organisational security measures. Current sub-processors include, but may not be limited to:

  • Cloud infrastructure provider (EU-based): For secure hosting and storage of Platform data
  • Google LLC (Google Analytics): For website and platform usage analytics. Data may be subject to Google’s standard contractual clauses for international transfers
  • Braze.: For CRM, email, and marketing communications. Transfers are governed by standard contractual clauses
  • Other SaaS providers: Including communication, support, and security tooling

An up-to-date list of sub-processors is available upon request by contacting privacy@aspirehealthhub.se.

7.2 Client Organisations

Where we act as a data processor on behalf of a Client Organisation, we process personal data strictly according to that organisation’s instructions and the terms of the applicable DPA.

7.3 Legal Disclosure

We may disclose personal data where required by law, court order, or regulatory authority, including Swedish authorities such as IMY or the Swedish Police Authority.

7.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of I’m with Bruce AB’s business, personal data may be transferred to the relevant successor entity, subject to equivalent data protection obligations.

8. International Transfers of Personal Data

Personal data is primarily stored and processed within the EU/EEA using EU-based cloud infrastructure. Where any sub-processor processes data outside the EU/EEA (for example, Google LLC are based in the United States), such transfers are carried out in accordance with Chapter V of the GDPR, relying on:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission
  • Adequacy decisions where applicable
  • Supplementary technical and organisational measures as required by EDPB guidance

You may request further information about international transfer safeguards by contacting privacy@aspirehealthhub.se.

9. Cookies and Tracking Technologies

The Platform and website use cookies and similar technologies for the following purposes:

Strictly necessary cookies: Required for the Platform to function. These cannot be disabled.

Analytics cookies: Used to understand how Users interact with the Platform (e.g., Google Analytics). These are only set with your consent.

Marketing cookies: Used to deliver relevant communications. These are only set with your consent.

You may manage your cookie preferences at any time via the cookie banner or by adjusting your browser settings. Please note that disabling certain cookies may affect Platform functionality.

10. Data Retention

We retain personal data for no longer than is necessary for the purposes for which it was collected, subject to applicable legal retention obligations. Our retention periods are guided by the following principles:

  • Account and identity data: Retained for the duration of the contractual relationship and for up to 3 years thereafter, unless a longer period is required by law
  • Health and wellness data: Retained strictly in accordance with the instructions of the Client Organisation and applicable law; deleted or returned upon termination of the DPA
  • Usage and analytics data: Retained in aggregated or anonymised form for up to 24 months
  • Legal and financial records: Retained for the period required by Swedish law (typically 7 years under the Swedish Bookkeeping Act (Bokföringslagen))

When personal data is no longer required, it is securely deleted or anonymised in accordance with our data deletion procedures.

11. Security Measures

I’m with Bruce AB implements appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction, in accordance with GDPR Article 32. These measures include:

  • Encryption of data in transit (TLS) and at rest
  • Access controls and role-based permissions
  • Regular security testing and vulnerability assessments
  • Employee training on data protection and information security
  • Incident response and data breach notification procedures

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (IMY) within 72 hours of becoming aware of the breach, and affected individuals where required under GDPR Article 34.

12. Your Rights as a Data Subject

Under the GDPR and Swedish data protection law, you have the following rights:

Right of access (Article 15): You may request a copy of the personal data we hold about you.

Right to rectification (Article 16): You may request correction of inaccurate or incomplete personal data.

Right to erasure (Article 17): You may request deletion of your personal data in certain circumstances.

Right to restriction of processing (Article 18): You may request that we limit processing of your data in certain situations.

Right to data portability (Article 20): You may request a machine-readable copy of data you have provided to us.

Right to object (Article 21): You may object to processing based on legitimate interests or for direct marketing purposes.

Rights related to automated decision-making (Article 22): You have the right not to be subject to solely automated decisions that produce significant legal or similarly significant effects.

Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@aspirehealthhub.se. We will respond within one month. No fee is charged for standard requests; however, we may charge a reasonable fee or refuse manifestly unfounded or excessive requests.

Where we act as a data processor on behalf of a Client Organisation, please direct data subject requests to your employer organisation in the first instance, as they are the relevant data controller.

13. Right to Lodge a Complaint

You have the right to lodge a complaint with the Swedish supervisory authority if you believe we have processed your personal data in violation of applicable law:

Integritetsskyddsmyndigheten (IMY)

Website: www.imy.se

Email: imy@imy.se

Telephone: +46 8 657 61 00

Address: Box 8114, 104 20 Stockholm, Sweden

If you are located in another EU/EEA member state, you may also contact your local supervisory authority.

14. Children’s Data

The Platform is not directed at individuals under the age of 16. We do not knowingly collect personal data from minors. If you believe that a minor’s data has been submitted to the Platform without appropriate authorisation, please contact us at privacy@aspirehealthhub.se and we will take prompt action.

15. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The effective date at the top of this document will always reflect the most recent revision.

Where changes are material, we will notify Users by email or via a prominent notice on the Platform prior to the change taking effect. We encourage you to review this Policy periodically.

16. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact us:

I’m with Bruce AB, trading as Aspire Health Hub

Email: privacy@aspirehealthhub.se

Address: Kungsgatan 52, 111 35 Stockholm Sweden

We aim to respond to all privacy-related enquiries within 5 business days.

This Privacy Policy was prepared for I’m with Bruce AB (Aspire Health Hub) and reflects the legal framework applicable as of the effective date above. It should be reviewed by a qualified legal counsel prior to publication.